1. TAGPMA & the Bridge WG (Scott Rea – Dartmouth College) Internet2 Member Meeting, Dec 2006 PKI Activities and Applications Update - Chicago, IL

2. 2 International Grid Trust Federation IGTF founded in Oct, 2005 at GGF 15 IGTF Purpose: –Manage authentication services for global computational grids via policy and procedures IGTF goal: –harmonize and synchronize member PMAs policies to establish and maintain global trust relationships IGTF members: –3 regional Policy Management Authorities EUgridPMA APgridPMA TAGPMA 50+ CAs, 50,000+ credentials

3. 3 IGTF

4. 4 IGTF general Architecture The member PMAs are responsible for accrediting authorities that issue identity assertions. The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers. The management and continued evolution of an AP is assigned by the IGTF to a specific member PMA. –Proposed changes to an AP will be circulated by the chair of the PMA managing the AP to all chairs of the IGTF member PMAs. Each of the PMAs will accredit credential-issuing authorities and document the accreditation policy and procedures. Any changes to the policy and practices of a credential-issuing authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.

5. 5 Green: EMEA countries with an Accredited Authority  23 of 25 EU member states (all except LU, MT)  + AM, CH, HR, IL, IS, NO, PK, RU, TR Other Accredited Authorities:  DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all EUGridPMA members and applicants

6. 6 EUgridPMA Membership Under “Classic X.509 secured infrastructure” authorities –accredited: 38 (recent additions: CERN-IT/IS, SRCE) –active applicants: 4 (Serbia, Bulgaria, Romania, Morocco) Under “SLCS” –accredited: 0 –active applicants: 1 (SWITCH-aai) Under MICS draft –none yet of course, but actually CERN-IS would be a good match for MICS as well Major relying parties –EGEE, DEISA, SEE-GRID, LCG, TERENA

7. 7 Ex-officio Membership APAC (Australia) CNIC/SDG, IHEP (China) AIST, KEK, NAREGI (Japan) KISTI (Korea) NGO (Singapore) ASGCC, NCHC (Taiwan) NECTEC, ThaiGrid (Thailand) PRAGMA/UCSD (USA) General Membership U. Hong Kong (China) U. Hyderabad (India) Osaka U. (Japan) USM (Malaysia) Map of the APGrid PMA

8. 8 APgridPMA Membership 9 Accredited CAs –In operation AIST (Japan) APAC (Australia) ASGCC (Taiwan) CNIC (China) IHEP (China) KEK (Japan) NAREGI (Japan) –Will be in operation NCHC (Taiwan) NECTEC (Thailand) 1 CA under review –NGO (Singapore) Will be re-accredited –KISTI (Korea) Planning –PRAGMA (USA) –ThaiGrid (Thailand) General membership –Osaka U. (Japan) –U. Hong Kong (China) –U. Hyderabad (India) –USM (Malaysia)

9. 9 TAGPMA

10. 10 TAGPMA Membership Accredited –Argentina UNLP –Brazilian Grid CA –CANARIE (Canada)* –DOEGrids* –EELA LA Catch all Grid CA –ESnet/DOE Office Science* –REUNA Chilean CA –TACC – Root In Review –FNAL –Mexico UNAM –NCSA – Classic/SLCS –Purdue University –TACC – Classic/SLCS –Venezuela –Virginia –USHER Relying Parties –Dartmouth/HEBCA –EELA –OSG –SDSC –SLAC –TeraGrid –TheGrid –LCG *Accredited by EUgridPMA

11. 11 TAGPMA Bridge Working Group Recognition that there are different LOAs –in the way some credential service providers operate –Required by different applications More efficient ways of distributing Trust Anchors Interoperation with other trust federations Scott Rea is Chair, representatives from each regional PMA included

12. 12 Recent Mapping Exercises Federal Bridge CA (FBCA) General Profile against IGTF Classic Profile Federal Citizen & Commerce Certificate CA (C-4) against IGTF Classic Profile IGTF Classic Profile against C-4

13. 13 Mapping Designations Seven (7) designations used to characterize the equivalency –Exceeds - The ENTITY CP policy provides a higher level of assurance/security than the Federal CP requirement –Equivalent - The ENTITY CP policy provides exactly the same assurance/security as the Federal CP requirement. –Comparable - The ENTITY CP contains dissimilar policy contents, but provides a comparable level of assurance to meet the security to the Federal CP requirement. –Partial - The ENTITY CP contains policy that is comparable, but it does not address the entire Federal CP requirement. –Not Comparable - The ENTITY CP contains dissimilar policy contents, which provides a lower level of assurance/security than the Federal CP requirement. –Missing - The ENTITY CP does not contain policy contents that can be compared to the Federal CP requirement in any way. –N/A – Not Applicable to ENTITY CP or required for FBCA cross certification.

14. 14 Mapping Results C-4 against IGTF Classic Profile –30 policy points evaluated –14 Comparable designations –12 Partial designations –3 Not Comparable designations –1 Not Applicable designation

15. 15 Mapping Results FBCA General against IGTF Classic Profile Basic LOA used for Comparisons –136 policy points evaluated –22 Comparable designations –33 Partial designations –12 Not Comparable designations –65 Missing designations –3 Not Applicable designations

16. 16 Mapping Results IGTF Classic Profile against C-4 –30 policy points evaluated –19 Comparable designations –1 Partial designation –10 Exceeds designations

17. 17 Proposed Inter-federations FBCA CA-1CA-2 CA-n Cross-cert HEBCA Dartmouth Wisconsin Texas Univ-N UVA USHER DST ACES Cross-certs SAFECertiPath NIH CA-1 CA-2CA-3 CA-4 HE JP AusCert CAUDIT PKI CA-1 CA-2 CA-3 HE BR Cross-certs Other Bridges IGTF C-4

18. 18 High Medium Hardware CBP Medium Software CBP Basic Rudimentary C-4 High Medium Basic Rudimentary Foundation Classic Ca SLCS MICS FPKI IGTF HEBCA/USHER SAML Username/Password

19. 19 For More Information IGTF Website: http://www.gridpma.org/ TAGPMA Website: http://www.tagpma.org/ Scott Rea - Scott.Rea@dartmouth.eduScott.Rea@dartmouth.edu